Crime without punishment: Group-IB issues a new report on JS-sniffers that infected 2440 websites around the world
Group-IB, an international company that specializes in
malware designed to steal customer payment data from online stores. 2440 infected ecommerce websites with a
total of around 1.5 million unique daily visitors whose data could have been
compromised, were analyzed by Group-IB researchers. Group-IB’s report features an in-depth
analysis of JS-sniffers’ darknet market, their entire infrastructure and the
monetization methods, which bring their developers millions of dollars.
New threats for E-commerce market
The e-commerce market is booming. A rare person does not buy online now. According
to a Pew Research Center survey of U.S. adults, eight-in-ten Americans are online shoppers. However the
convenience of online shopping has its downsides: users who use payment cards for online shopping
Prior to the publication of Group-IB’s report
“Crime without punishment: In-depth
analysis of JS-sniffers” the researchers at RiskIQ
and Flashpoint were the first to publish a joint report on the activities of cybercriminals
using JS-sniffers. They gave the umbrella term MageCart to 12 cybercriminal
groups. Group-IB experts studied the discovered JS-sniffers and, using their
own analytical systems, were able to discover their entire infrastructure and
gain access to their source codes, administrative panels, and cybercriminals’
tools. This approach helped identify 38 unique JS-sniffers’ families, 15 of which are presented in detail in the report,
available for Group-IB Threat Intelligence customers. At least 8 of them were discovered and
described for the very first time.
The threat posed by JS-sniffers was long under the radar of malware analysts, who deemed it
insignificant and unworthy of an in-depth research. However, several incidents
have shown the opposite to be true, including: 380,000 victims of a JS-sniffer
that infected the British Airways website and mobile app, the compromise of Ticketmaster
users’ payment data, and the recent incident involving the UK website of the international
sporting goods giant Fila, which could have led to the theft of payment details
of at least 5,600 customers. “When a website is infected, everyone is a victim
– end users, payment systems, banks, and companies that sell their goods and
services online,” says Dmitry Volkov,
CTO and Head of Threat Intelligence at Group-IB. “The fact that there is
still little known about incidents involving JS-sniffers and the damages they
cause indicates that this problem is understudied,
which allows groups developing sniffers to steal money from online shoppers act
with impunity and get away with it.”
don’t want to know about
A JS-sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS-sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS-sniffers are put up for sale or rent are Russian-speaking.
Approximate estimates suggest that the profits
made by JS-sniffer developers may amount to hundreds of thousands of dollars
per month. For instance, websites infected by the WebRank family of JS-sniffers
attract around 250,000 visitors every day. If the conversion on these websites
was only 1%, this would mean that 2,500 shoppers carry out transactions every
single day. This in turn means that, at the minimum price range charged for
stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS-sniffer’s one day
of “work”, which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the “ranking” of mass
infections. Websites infected by MagentoName
and CoffeMokko JS-sniffers attract more
than 440,000 visitors per day.
How JS-sniffers attack
Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS-sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS-sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS-sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS-sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS-sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.
Most identified JS-sniffers are set up to
steal information from different types of payment forms of website management systems
such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS-sniffer
families include PreMage, MagentoName,
FakeCDN, Qoogle, GetBilling, and PostEval. Other JS-Sniffers are universal and can be integrated into the code of
any website, regardless of the systems used (G-Analytics, WebRank).
During its research, Group-IB discovered signs
of “competition”: some JS-sniffer families could detect and eliminate
JS-sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the “body” of the competitor’s JS-sniffer, “taking over” the data it intercepts and transferring it to its own gate (for example, WebRank). JS-sniffers can be modified to make it more difficult to detect
them. For example, ImageID and ReactGet are able to bypass most detection systems
because they are activated only when the buyer is completing their transaction
on the website; the rest of the time, the JS-sniffer is “inactive” and doesn’t give itself away. Some families have a number of unique
JS-sniffers for each infection, such as CoffeMokko.
Each JS-sniffer in this family is used only once to
infect a single website.
JS-sniffers family is distinctive in that it not only injects malicious code
into website’s HTML code but also the server-side PHP scripts that handle
payments on e-commerce websites. This technique makes it significantly more
difficult for analysts to detect the malicious code. JS-sniffers such as ImageID and G-Analytics are able to imitate legitimate services
such as Google Analytics and jQuery and disguise their
malicious activity with legitimate scripts and domain names that are similar to
Attacks involving JS-sniffers can have several
stages. When analysing the code of one of the infected online stores,
Group-IB’s specialists discovered that the cybercriminals had not limited
themselves to simply injecting the JS-sniffer, but created a fake payment form
that was loaded from a different compromised website. The form gave users two
payment options: by credit card or PayPal. If the user chose to pay via PayPal,
the fake form would show an error message saying that this payment method was
currently unavailable, and the only way to pay was using a credit card.
Customers and buyers: how the JS-sniffer market works
The development of the JS-sniffer market has
led to relationships between its players becoming increasingly complicated.
JS-Sniffer can be used by not only the cybercriminal group that developed it,
but also by other groups that have bought or rented the JS-sniffer as-a-service.
In some cases, it is difficult to determine just how many cybercriminal groups
are using a given JS-sniffer, which is why Group-IB experts call them families,
JS-sniffers’ cost ranges from $250 to $5,000 on
underground forums. Some services offer partnerships: the customer provides
access to the compromised online store and receives a share of the profits,
while the JS-sniffer developer is responsible for providing hosting servers,
tech support, and an administrative panel for the customer. Such “market
relationships” between developers, sellers, intermediaries and buyers on the
underground market make it difficult to attribute the crime committed to a particular
group. Nevertheless, the indicators collected by Group-IB linked to the
activities of each of the 38 JS-sniffer families help solve this problem.
Moreover, Group-IB’s report contains detailed recommendations for all parties
that may fall victim to JS-sniffers: shoppers, banks, online stores, and payment
systems. The research continues. Descriptions of analysed JS-sniffers and new
information about them are regularly uploaded to Group-IB’s Threat Intelligence
About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of
The report published by Group-IB is available here:
The post Group-IB report: JS-sniffers infected 2440 websites around the world appeared first on Security Affairs.